chore(deps): update osc-tdx-qgs to edc6055

[red-hat-konflux]

Image created from 'https://github.com/openshift/confidential-compute-artifacts?rev=125c5641d6c66f9a8e5f6c7722dbd499e0404417'

This PR contains the following updates:

Package	Update	Change
quay.io/redhat-user-workloads/ose-osc-tenant/osc-tdx-qgs	digest	0251f07 -> edc6055

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the osc-tdx-qgs container image reference from the previous SHA256 digest (sha256:0251f0...) to a new digest (sha256:edc605...) in three files: the operator manager deployment config (config/manager/manager.yaml), the ClusterServiceVersion bundle manifest (bundle/manifests/sandboxed-containers-operator.clusterserviceversion.yaml) in both the RELATED_IMAGE_TDX_QGS environment variable and the spec.relatedImages entry, and the baremetal DaemonSet helper (scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml) for both the platform-registration initContainer and the main tdx-qgs container.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• snir911
• tbuskey

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating the osc-tdx-qgs image digest from 0251f07 to edc6055.
Description check	✅ Passed	The description directly relates to the changeset, documenting the dependency update with a clear before/after digest change and relevant metadata.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only image digest configs, not test files. All existing Ginkgo tests have stable, deterministic names with no dynamic content.
Test Structure And Quality	✅ Passed	PR modifies only YAML configuration files (image digest updates), containing no Ginkgo test code. Custom check for test structure quality is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All changes are image digest updates in YAML configuration files. The MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies YAML configuration files (image digests in manifests and deployment specs). No new Ginkgo e2e tests are added, so the SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates container image digests; introduces no scheduling constraints, affinity rules, topology assumptions, or modifications to existing scheduling configuration.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML configuration file changes (image digest updates), with no modifications to Go source code or binary entry points, so OTE Binary Stdout Contract cannot be violated.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only updates container image digests in three YAML configuration files (ClusterServiceVersion, manager deployment, and DaemonSet). No new Ginkgo e2e tests are added, so the IPv6/disconnecte...
No-Weak-Crypto	✅ Passed	PR only updates container image SHA256 digests in YAML configs; no weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) or custom crypto implementations detected.
Container-Privileges	✅ Passed	This PR only updates container image digests; privileged settings (hostNetwork, privileged, allowPrivilegeEscalation) in qgs.yaml are pre-existing from earlier commits, not newly introduced.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates container image digests in Kubernetes YAML config files; no logging statements that could expose sensitive data are present or modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/component-updates/osc-operator-bundle-component-update-osc-tdx-qgs

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml (4)

20-20: 🔒 Security & Privacy | 🔴 Critical

Remove hostNetwork: true or provide security justification.

Exposing the host network namespace is a critical security risk. As per path instructions, hostNetwork is not permitted in Kubernetes manifests. If host network access is absolutely required for DCAP functionality, this must be documented with a security justification explaining the specific requirement and threat model mitigation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml` at line 20, The
qgs.yaml manifest contains hostNetwork: true which violates security policies by
exposing the host network namespace. Remove the hostNetwork: true configuration
from the Pod specification. If host network access is genuinely required for
DCAP functionality to operate correctly, do not remove it but instead add clear
documentation in the manifest (as comments or in accompanying documentation)
that explains the specific security justification, the exact DCAP requirement
that necessitates host network access, and the threat model mitigation
strategies in place.

Source: Path instructions

---

22-46: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add resource limits to the initContainer.

The initContainer platform-registration (lines 22–46) is missing CPU and memory resource limits. Path instructions require resource limits on every container. Add resources.limits.cpu and resources.limits.memory (and optionally requests) to ensure the container doesn't exhaust node resources.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml` around lines 22 -
46, The platform-registration initContainer is missing resource limits
configuration. Add a resources section to the platform-registration
initContainer specification that includes limits for both cpu and memory fields.
You can optionally also add requests for cpu and memory if needed. This section
should be added at the same indentation level as other container specification
fields like securityContext, volumeMounts, and env.

Source: Path instructions

---

37-38: 🔒 Security & Privacy | 🔴 Critical

Remove privileged: true and allowPrivilegeEscalation: true from initContainer, or provide written security justification.

The initContainer violates two critical path instructions:

1. Line 37: allowPrivilegeEscalation: true must be false
2. Line 38: privileged: true is explicitly forbidden unless justified

If privileged mode is required for EFI/firmware registration on TDX hardware, this must be clearly documented with a security justification explaining why capabilities are insufficient and what threat model this mitigates. Consider using a minimally privileged approach with only required capabilities (e.g., CAP_SYS_RAWIO or CAP_SYS_BOOT) instead of blanket privileged access.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml` around lines 37 -
38, The initContainer in the qgs.yaml file has two security vulnerabilities:
allowPrivilegeEscalation is set to true and privileged is set to true. Change
allowPrivilegeEscalation to false and remove the privileged: true line entirely,
or if privileged mode is genuinely required for EFI/firmware registration on TDX
hardware, add explicit written security justification in code comments
explaining why this is necessary and what threat model it addresses. As an
alternative to blanket privileged access, investigate using a minimally
privileged approach with only the specific required Linux capabilities (such as
CAP_SYS_RAWIO or CAP_SYS_BOOT) instead of full privileged mode.

Source: Path instructions

---

2-88: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add liveness and readiness probes to DaemonSet containers.

Neither the initContainer nor the main container defines liveness or readiness probes. Path instructions require liveness and readiness probes for Kubernetes manifests. Without probes, Kubernetes cannot detect if the tdx-qgs container has crashed or become unresponsive, and the DaemonSet will not properly report pod health status.

Consider adding a simple HTTP or exec-based readiness probe to verify the QGS service is listening on port 4050 (as specified in args at line 51).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml` around lines 2 -
88, Add liveness and readiness probes to both the platform-registration
initContainer and the tdx-qgs main container in the DaemonSet spec. For the
tdx-qgs container, add an httpGet readiness probe that checks the service on
localhost port 4050 (as specified in the container args with -p=4050) to verify
the QGS service is responding. Configure appropriate initialDelaySeconds and
periodSeconds values to account for startup time. For the platform-registration
initContainer, since it runs once during initialization, you may add a simpler
exec-based readiness probe or skip the liveness probe but ensure readiness is
properly defined. These probes enable Kubernetes to detect when the containers
have crashed or become unresponsive and maintain proper health status reporting
for the DaemonSet.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml`:
- Line 20: The qgs.yaml manifest contains hostNetwork: true which violates
security policies by exposing the host network namespace. Remove the
hostNetwork: true configuration from the Pod specification. If host network
access is genuinely required for DCAP functionality to operate correctly, do not
remove it but instead add clear documentation in the manifest (as comments or in
accompanying documentation) that explains the specific security justification,
the exact DCAP requirement that necessitates host network access, and the threat
model mitigation strategies in place.
- Around line 22-46: The platform-registration initContainer is missing resource
limits configuration. Add a resources section to the platform-registration
initContainer specification that includes limits for both cpu and memory fields.
You can optionally also add requests for cpu and memory if needed. This section
should be added at the same indentation level as other container specification
fields like securityContext, volumeMounts, and env.
- Around line 37-38: The initContainer in the qgs.yaml file has two security
vulnerabilities: allowPrivilegeEscalation is set to true and privileged is set
to true. Change allowPrivilegeEscalation to false and remove the privileged:
true line entirely, or if privileged mode is genuinely required for EFI/firmware
registration on TDX hardware, add explicit written security justification in
code comments explaining why this is necessary and what threat model it
addresses. As an alternative to blanket privileged access, investigate using a
minimally privileged approach with only the specific required Linux capabilities
(such as CAP_SYS_RAWIO or CAP_SYS_BOOT) instead of full privileged mode.
- Around line 2-88: Add liveness and readiness probes to both the
platform-registration initContainer and the tdx-qgs main container in the
DaemonSet spec. For the tdx-qgs container, add an httpGet readiness probe that
checks the service on localhost port 4050 (as specified in the container args
with -p=4050) to verify the QGS service is responding. Configure appropriate
initialDelaySeconds and periodSeconds values to account for startup time. For
the platform-registration initContainer, since it runs once during
initialization, you may add a simpler exec-based readiness probe or skip the
liveness probe but ensure readiness is properly defined. These probes enable
Kubernetes to detect when the containers have crashed or become unresponsive and
maintain proper health status reporting for the DaemonSet.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7641896f-a5f2-4c6d-b030-448d975b5b89

📥 Commits

Reviewing files that changed from the base of the PR and between 4295879 and d2e05c7.

📒 Files selected for processing (3)

• bundle/manifests/sandboxed-containers-operator.clusterserviceversion.yaml
• config/manager/manager.yaml
• scripts/install-helpers/baremetal-coco/intel-dcap/qgs.yaml